On Wed, 4 Oct 2000, Bruce McCulley wrote:
> Hmm, seems like that "Junior Sys Admin" independent study doesn't get very good
> grades, does it?
>
> I have some questions, especially regards Jeff's comments, see below...
>
> Jeffry Smith wrote:
>
> > On Tue, 3 Oct 2000, Mjo wrote:
> > [...snip...]
> > > KSC has traditionally had a Linux server that held student accounts for mail
> > > and web pages. "Junior Sys Admin" was an independent study for running this
> > > box. This summer it was used by a couple of people to break into places such as
> > > Bell Atlantic. The college administration has in absolutely no uncertain terms
> > > decreed that we may only have a Linux box if it is NOT attached to the outside
> > > world. This is unfortunately not up for any debate. Linux in a vacum makes
> > > very little practical sense, but that's what we have to work with. Because
> > > this makes the "Junior Sys Admin" role almost entirely moot, it will be
> > > WONDERFUL to keep Linux possibilities here through the LUG.
> > >
> >
> > OK, what will help in convincing the administration that ANY system
> > connected to the outside world can be used to crack? It's unfortunate
> > that this happened, and I realize their reaction is to try and prevent
> > future problems, but the reality is that the crackers will now use
> > other available computers.
>
> One thing that was unclear was whether the crackers were legitimate users of the
>Linux
> box or if it had been cracked originally? If it was cracked first, the college
> administration could have a legitimate reason to view Linux as a liability,
>especially
> if they have not seen other systems cracked and used as attack relays. It is also
>not
> clear to me that other available computers would be equally good platforms for
> mounting attacks, depending on the tool sets and o/s environments.
It wasn't clear to me either, although I sort of assumed it was
legitimate users. Either way, it doesn't make Linux responsible
(unless Linux has security holes which no one can find in that hidden
code :-). However, what I meant about other available computers is,
if they have ANY computers hooked to the internet (including the ones
in the computer labs & the ones in the dorm rooms), someone can log on
and go somewhere to crack other systems. Doesn't matter if it's
Windows NT, 98, Linux, VMS, MVS, etc. The only toolset required is
the ability to connect to the Internet - all others are available at
poorly secured sites (which this may have been, but is beside the
point). Cracking is attitude, not tools (let's face it, they use the
same tools legitimate sys admins use (sniffers, password checkers,
disassemblers, etc) to find problems. It's just a matter of what they
do with the results).
>
> > My concern here is not to get a Linux box in (much as I would like
> > it), but to ensure the Keene State admininstration understands that
> > it's not technology, it's attitude, that creates crackers, and that
> > their actions have done NOTHING to protect themselves, merely created
> > an illusion of security. In the long run, it will bite them bigtime
> > when one of these incidents happens using a "secure" machine (and I
> > mean when, not if - even if they booted the crackers out, there will
> > be others). Even worse, unless they take a proactive attitude (which
> > is not retribution, but education and understanding), they will
> > themselves get cracked, most likely from the inside. This is a
> > reality based on real-world statistics - most computer breakins /
> > crimes happen from the inside, not the outside.
>
> I mostly agree, but strongly disagree with that statement about proactive attitude.
>
> I agree that education and understanding are important. I feel very strongly that
> everyone must be held accountable for their actions, and that means that punishment
> must be meted out when it is deserved. Doing otherwise is condoning misbehavior. A
> proactive attitude must include monitoring and response to observed events, and that
> response should include retribution.
>
To clarify a little bit on my meaning, I agree on holding people
accountable, but from the description, they placed a junior sys-admin
(who almost by definition is still learning the intracicies of
securing the system) in charge of a vulnerable system, then got rid of
him & the system when the crack happened. Yes, if he did not perform
to his level of training & responsibilities, do retribution, but the
"proactive" and not retribution is not to hold people responsible to
things they have no training or control over. I've seen too many
cases of the "let's fire the first one who makes a mistake" which
results in no one being willing to admit a mistake or ask for help (we
ALL make mistakes occasionally), which does NOT fix the problems, it
just masks them. Then, everyone seems surprised when (not if, when)
the problems show up. It's really another case of "security through
obscurity" - if no one admits to problems, we must not have any, and
don't tell me about any, because then we would have some, which we
don't because no one tells me about them. It's like the most secure
code in the world is proprietary because I can't see the holes, right
;-)?
Even worse is not being willing to provide training,
especially in security. EVERYONE responsible for a publicly connected
box needs to be trained in security, including the stuff Kenny talked
about.
> My concern is that the KSC administration is taking an easy knee-jerk response that
> creates the illusion of security, rather than dealing with the real problem. It's a
> lot easier and more palatable to blame technology rather than people, but the truth
>is
> that this kind of thing can only happen when individuals misbehave and the
> organizational environment lets them. It's correct, there should be clear consistent
> policy against misuse of systems, measures to implement the policy, and actions to
> enforce it.
>
> > In the long run, they are best served with clear, consistent policy,
> > systems that implement that policy, and an understanding of what
> > technology can and can't do (especially with crackers going to the
> > outside - the only way to prevent it is to cut Keene State off of the
> > internet and disable all modems, something I doubt they want to do).
>
> Yes, but if we get rid of that nasty anarchistic open source Linux box we'll be safe
> and secure in the care of Big Brother Microsoft, right?
> :-)
Of course, didn't they promise us that W2K is the most secure Windows
they've ever produced (not that NT4 was insecure mind you, but trust
us)? 8->
>
> --Bruce McCulley
>
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
>
------------------------------------------------------------------------
Jeffry Smith Technical Sales Consultant Mission Critical Linux
[EMAIL PROTECTED] phone:603.930.9739 fax:978.446.9470
------------------------------------------------------------------------
Thought for today: root mode n.
Syn. with wizard mode or `wheel mode'.
Like these, it is often generalized to describe privileged states
in systems other than OSes.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
